CTF writeups, exploits & solutionshttps://kagisosec.com/https://kagisosec.com/writeups/htb-postman/https://kagisosec.com/writeups/htb-postman/An Easy Linux box: an unauthenticated Redis 4.x instance writes an SSH key into the redis user's authorized_keys for a foothold, an encrypted /opt/id_rsa.bak cracks to computer2008 to reach Matt via su, and Webmin 1.910 falls to CVE-2019-12840 command injection (running as root) for a root shell.Fri, 05 Jun 2026 00:00:00 GMTlinuxredisssh-key-injectionjohnwebmincve-2019-12840command-injectionmetasploitprivilege-escalationhttps://kagisosec.com/writeups/htb-trick/https://kagisosec.com/writeups/htb-trick/An Easy Linux box: a DNS zone transfer leaks a preprod payroll vhost, a boolean SQL injection with the MySQL FILE privilege reads the nginx config to expose a second vhost, then a str_replace LFI bypass combined with SMTP mail-spool poisoning lands RCE as michael — and a writable fail2ban action plus a passwordless sudo restart escalates to root.Thu, 04 Jun 2026 00:00:00 GMTlinuxdns-zone-transfersmtpsql-injectionsqlmaplfimail-poisoningrcefail2banprivilege-escalationhttps://kagisosec.com/writeups/critical-ops/https://kagisosec.com/writeups/critical-ops/An HTB web challenge, the app shipped its JWT signing key in the client-side bundle, so reading it from DevTools let me forge an admin token, hit a privileged endpoint and grab the flag.Wed, 03 Jun 2026 00:00:00 GMTwebjwtauthentication-bypasstoken-forgerysource-code-reviewburpsuitehttps://kagisosec.com/writeups/htb-fluffy/https://kagisosec.com/writeups/htb-fluffy/An assumed-breach Windows AD box: steal a second user's NTLM hash with CVE-2025-24071, map ACLs in BloodHound, abuse GenericAll/GenericWrite with bloodyAD + Certipy shadow credentials to reach winrm_svc, then exploit an ADCS ESC16 misconfiguration to impersonate the Administrator.Wed, 03 Jun 2026 00:00:00 GMTactive-directorywindowssmbcve-2025-24071ntlmresponderbloodhoundshadow-credentialscertipyadcsesc16winrmhttps://kagisosec.com/blog/cwes-experience/https://kagisosec.com/blog/cwes-experience/My road to the Hack The Box Certified Web Exploitation Specialist (CWES), a year in the CBBH path, a focused month of revision, and a 4-day, 9-flag exam.Wed, 03 Jun 2026 00:00:00 GMTcweshacktheboxcertificationwebcareerhttps://kagisosec.com/writeups/htb-support/https://kagisosec.com/writeups/htb-support/An Easy Windows AD box, reverse-engineering a custom .NET binary to recover LDAP credentials, looting a plaintext password from an AD info attribute, then chaining GenericAll → RBCD to impersonate Administrator for SYSTEM.Sun, 24 May 2026 00:00:00 GMTactive-directorywindowssmbldapdotnetbloodhoundrbcdkerberoswinrmhttps://kagisosec.com/writeups/akerva-fortress/https://kagisosec.com/writeups/akerva-fortress/An 8-flag HTB Fortress, leaking a backup script over SNMP, bypassing auth with HTTP verb tampering, abusing a Flask LFI to forge the Werkzeug debugger PIN for RCE, then PwnKit to root and a Vigenère-encrypted final flag.Mon, 18 May 2026 00:00:00 GMTwordpresssnmphttp-verb-tamperinglfiwerkzeugflaskpwnkitvigenerelinuxhttps://kagisosec.com/writeups/htb-helix/https://kagisosec.com/writeups/htb-helix/A Medium Linux box, abusing an exposed Apache NiFi instance for RCE through H2 SQL aliases, recovering an SSH key from a support bundle, then driving an OPC UA / ICS reactor over an SSH tunnel to open a privileged maintenance window and reach root.Sun, 17 May 2026 00:00:00 GMTlinuxapache-nifirceh2-databasesshopc-uaicsjohntunnelinghttps://kagisosec.com/blog/security-plus-experience/https://kagisosec.com/blog/security-plus-experience/How I prepared for CompTIA Security+, what challenged me, and what helped me pass on my first attempt.Sat, 21 Mar 2026 00:00:00 GMTsecurity+comptiacertificationcareerhttps://kagisosec.com/writeups/picomini-byp4ss3d/https://kagisosec.com/writeups/picomini-byp4ss3d/Bypassing a file upload filter on Apache by abusing .htaccess to execute a PHP webshell disguised as a JPEG, achieving full RCE and reading the flag.Fri, 17 Oct 2025 00:00:00 GMTwebfile-uploadhtaccessapachercephpburpsuite